packages we install from others dists than Debian stable, e.g. from Debian testing or Debian sid. A good example of the problem is the linux kernel which we install from sid; for instance, at the time of the 3.2 freeze we got linux 4.12.12-2, but in the middle of the freeze linux 4.12.13-1 was uploaded to sid, and it was not noticed until the final 3.2 was built so we missed out on several security updates.

packages we override with our custom APT repo, see e.g. #14729 for one instance of this problem